What is QuadRooter? Android bug exposes 900m phones to attack, including Galaxy S7

QuadRooter is a newly uncovered security flaw that reportedly affects any device with a Qualcomm chip – that’s a whole lot of devices. If you’re concerned about this issue, here’s what you’ll want to know.

What is QuadRooter?

QuadRooter is actually four different vulnerabilities, which Check Point says affects any device using a Qualcomm chipset. The flaws are embedded in the software that handles graphics, and the code that controls communications between different processes that run inside your phone.

If any one of the vulnerabilities is exploited, a hacker could gain root access to a device, giving the attacker control of a phone or tablet’s systems. The attacker does this through a process called “privilege escalation”.

What is rooting?

Rooting a device means attaining “root access” to a system. That means you get access that’s similar to administrative permissions on a device, including device control and access to data.

Many users intentionally root their own devices, because it gives users the “permission” to change or replace system applications and settings, run specialised apps, and perform other tasks that a standard, non-admin user can’t.

Rooting a phone gives users special permissions for system-level features

Latest

Why is this bad?

While rooting is popular amongst Android users, it’s also a risky business. Worse still, if a hacker roots your device, you can be left completely exposed.

“An attacker can exploit these vulnerabilities using a malicious app,” explains Adam Donenfeld, Mobile Researcher at Check Point. “Such an app would require no special permissions to take advantage of these vulnerabilities, alleviating any suspicion users may have when installing.”

Which phones are affected?

Here’s the problem: QuadRooter affects any phone with a Qualcomm chip, and the lion’s share of smartphones and tablets (around 900 million, in fact) use Qualcomm chips – it’s the market leader, in fact.

We’re not going to list all 900 million devices here, obviously. But here are some of the latest and most popular handsets running Qualcomm fare:

Samsung Galaxy S7 and S7 Edge (US-only)

Google Nexus 5X, Nexus 6, and Nexus 6P

HTC One, HTC One M9, and HTC 10

LG G4, LG G5, and LG V10

Motorola Moto X

OnePlus One, OnePlus 2, and OnePlus 3

Samsung’s Galaxy S7 is one of the devices reportedly affected by the flaw, but only the SD820 versions (i.e. not the units with Exynos chips)

Can I fix this?

Unfortunately, no. The vulnerable drivers are pre-installed on devices when a phone is manufactured, and can only be fixed with a software update from a distributor or network carrier.

But to complicate matters further, distributors and network carriers can only issue their patches after received fixed driver packs from Qualcomm.

That’s why QuadRooter is a particularly great example of one of Android’s chief problems. To fix a problem like this, a security update needs to pass through the entire supply chain before it reaches the end user, i.e. you.

And even once the security patch is issued, the user still needs to install the updates manually to fix the issue.

How can I stay safe?

The first thing you should do is always download and install the latest Android updates as soon as they’re available. Regularly updating your phone is a great way to avoid being hacked, especially as many major Android phone manufacturers have committed to monthly security updates.

It’s also worth remembering that QuadRooter is a vulnerability that is exploited by getting a user to install a malicious app. To defend against this, it’s important to:

Be aware of the risks of rooting your device

Make sure you examine any app installation request to make sure it’s legit

Be wary of apps that ask for unusual permissions, or that use large amounts of data or battery life

Only use trusted and known Wi-Fi networks

Security experts advise against downloading apps from outside of the Google Play store

Has Qualcomm responded?

Qualcomm did respond to our request for comment, but unfortunately could not confirm the number of devices affected – “it’s not something we track”.

The following statement was provided:

“Providing technologies that support robust security and privacy is a priority for Qualcomm Technologies, Inc. (QTI). We were notified by the researcher about these vulnerabilities between February and April of this year, and made patches available for all four vulnerabilities to customers, partners, and the open source community between April and July. The patches were also posted on CodeAurora. QTI continues to work proactively both internally as well as with security researchers to identify and address potential security vulnerabilities.”